b'                Performance Data for the Security Program\n                          Should Be Corrected\n\n                                     April 2004\n\n                       Reference Number: 2004-20-093\n\n\n\n\nThis report has cleared the Treasury Inspector General For Tax Administration disclosure\nreview process and information determined to be restricted from public release has been\n                              redacted from this document.\n\x0c                                                 DEPARTMENT OF THE TREASURY\n                                                       WASHINGTON, D.C. 20220\n\n\n\n\nINSPECTOR GENERAL\n     for TAX\n  ADMINISTRATION\n\n\n                                                           April 27, 2004\n\n\n\n       MEMORANDUM FOR COMMISSIONER\n\n\n       FROM:                            Gordon C. Milbourn III\n                                        Acting Deputy Inspector General for Audit\n\n       SUBJECT:                         Final Audit Report - Performance Data for the Security Program\n                                        Should Be Corrected (Audit # 200420001)\n\n\n       This report presents the results of our review of the Internal Revenue Service (IRS)\n       security program performance data. The overall objective of this review was to validate\n       performance measure data reported by the IRS to the Department of the Treasury\n       related to the number of systems that underwent a security self-assessment in Fiscal\n       Year (FY) 2003. This report is being furnished to you since protection of taxpayer\n       information is the ultimate responsibility of all IRS executives and managers.\n       The Federal Information Security Management Act (FISMA)1 requires Federal\n       Government agencies to annually assess the security controls in place to protect the\n       information and systems that support their operations and to report those results to the\n       Office of Management and Budget (OMB). To ensure sensitive taxpayer information is\n       adequately and appropriately protected, business unit leaders must take ownership of\n       the security of their assigned systems and integrate security into daily program\n       responsibilities.\n       In summary, we found that the information provided by the Chief Information\n       Officer (CIO) to the Department of the Treasury in September 2003 was inaccurate.\n       Neither the IRS business unit managers nor the CIO\xe2\x80\x99s staff tested security controls for\n       the 352 applications that required a security self-assessment. Specifically, the CIO\xe2\x80\x99s\n       staff sorted the 352 applications into 10 groups, 1 group for each of the 10 operating\n       systems. All applications assigned to an operating system were given the same\n       assessment as each of the other applications for that operating system. Apparently, the\n       CIO\xe2\x80\x99s staff assumed every application running on an operating system had the same\n       controls. The business unit managers who own the applications were asked to validate\n\n       1\n           Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n\x0c                                                        2\n\nthat the assessments for the operating systems were accurate for the respective\napplications, even though no testing of the application controls was conducted.\nWhile we agree it is important for the Information Technology organization to test\noperating system controls, it is also important for business unit managers to ensure\napplication security controls are tested. Application security controls are critical for\nproviding adequate security over taxpayer data. Application security controls often\nprovide the last defense against a disgruntled employee or contractor who may wish to\ninappropriately access sensitive information or disrupt computer operations.\nThe OMB did not issue instructions to Federal Government agencies for completing the\nFY 2003 FISMA reports until August 2003. However, self-assessments have been\nrequired since October 2000 by the Government Information Security Reporting Act.2\nThe IRS did not begin to conduct its self-assessments until the summer of 2003. As a\nresult, it rushed to answer the required questionnaire and jeopardized the credibility of\nthe assessment process by claiming that all applications running on a specific operating\nsystem had the same level of controls.\nWe recommended the Commissioner hold business unit managers accountable for the\nsecurity of their applications and ensure annual self-assessments of their applications\nare conducted in accordance with the FISMA requirements. To ensure accurate\ninformation is reported in compliance with the FISMA, we recommended the Chief,\nMission Assurance, amend the IRS information provided to the Department of the\nTreasury in September 2003 and resubmit the corrected information. We also\nrecommended the Chief, Mission Assurance, coordinate with business unit managers to\ndefine the roles and responsibilities for assessing the security of all sensitive\napplications for the FY 2004 self-assessments required by the FISMA.\nManagement\xe2\x80\x99s Response: IRS management agreed that business unit managers\nshould be held accountable for ensuring annual self-assessments of their systems are\nconducted. The response stated that actions have already been taken to address this\nissue and provided no further corrective actions.\nManagement disagreed with our recommendation that the Chief, Mission Assurance,\nrevise the number of systems reported to the Department of the Treasury to reflect that\nthe IRS assessed 10 operating systems but did not review any sensitive applications.\nThey stated that all systems/applications were reviewed to determine the managerial,\ntechnical, and operational security measures in place. Management also stated that\nmanagerial and operational controls were reviewed through methods other than the\nFISMA self-assessments.\nFinally, management agreed with our recommendation that the Chief, Mission\nAssurance, coordinate with business unit managers to help define the roles and\nresponsibilities for assessing the security of all sensitive applications during FY 2004 in\naccordance with the FISMA. Corrective actions are in process. Management\xe2\x80\x99s\ncomplete response to the draft report is included as Appendix V.\n\n2\n    FY 2001 Defense Authorization Act (P.L. 106-398).\n\x0c                                                         3\n\nOffice of Audit Comment: Management actions taken to ensure business unit\nmanagers are accountable for the security of their systems and annual tests of their\napplications are conducted have not been effective. To adequately protect information,\nbusiness unit managers must understand the current status of their security programs\nand the security controls planned or in place in order to make informed judgments and\ninvestments that appropriately reduce risk. As we reported, the IRS has yet to conduct\nself-assessments of any of its applications, other than those that have undergone\ncertification and accreditation. Without annual testing as required by the FISMA,\nmanagement has no means to fully understand the current status of their security\ncontrols. Signing a form that presents an assessment of an operating system does not,\nin our view, provide management with an adequate basis for understanding the security\nof its applications.\nWe continue to maintain the validity of our recommendation that the IRS revise the\nnumber of systems reviewed as reported to the Department of the Treasury. It is\ninaccurate for the IRS to state that 569 systems/applications were reviewed. As stated\nin our report, all applications assigned to an operating system were given the same\nassessment as each of the other applications for that operating system, thus indicating\nthat operating systems were assessed but applications were not. We also maintain the\nidentical assessments indicate that reviews of managerial and operational controls in\nthe applications were not conducted through other methods.\nIn addition, the Chief, Mission Assurance, stated that the IRS has revised its\ncategorization of systems/applications for certification and accreditation activities as well\nas for vulnerability tracking and FISMA reporting. Initially, 87 general support systems,\nmajor applications, and applications of interest have been identified and will be used as\nthe basis for FY 2004 FISMA reporting. The Chief, Mission Assurance, is attempting to\nbundle or associate the remaining low-impact applications with those 87 systems and\napplications scheduled for certification. This approach seems to be consistent with\nguidance from the National Institute of Standards and Technology (NIST) for\ncertification and accreditation activities.3 However, to fully comply with the guidance,\nthe IRS must conduct at least some testing based on risk on the low-impact\napplications, not just the 87 major systems and applications.\nWhile we still believe our recommendation is worthwhile, we do not intend to elevate our\ndisagreement concerning this matter to the Department of the Treasury for resolution.\nDepartment of the Treasury and IRS officials are currently seeking clarification\nregarding the NIST guidance as it relates to the IRS\xe2\x80\x99 certification and accreditation\nactivities. We will continue to monitor this issue in relation to the IRS\xe2\x80\x99 compliance with\nthe FISMA requirements for FY 2004. Copies of this report are also being sent to the\nIRS managers affected by the report recommendations. Please contact me at\n(202) 622-6510 if you have questions, or your staff may call Margaret E. Begg,\n\n\n\n3\n Final Draft Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal\nInformation Systems (dated April 2004).\n\x0c                                          4\n\nAssistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\x0c                Performance Data for the Security Program Should Be Corrected\n\n\n\n\n                                                  Table of Contents\n\n\nBackground ............................................................................................... Page 1\nThe Internal Revenue Service Did Not Conduct Security\nSelf-Assessments of Its Applications......................................................... Page 2\n         Recommendation 1: ........................................................................ Page 5\n         Recommendation 2: ........................................................................ Page 6\n         Recommendation 3: ........................................................................ Page 7\n\nAppendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ....................... Page 8\nAppendix II \xe2\x80\x93 Major Contributors to This Report........................................ Page 9\nAppendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 10\nAppendix IV \xe2\x80\x93 Methodology Required for Self-Assessments .................... Page 11\nAppendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ..................... Page 12\n\x0c             Performance Data for the Security Program Should Be Corrected\n\n                                 On December 17, 2002, the President signed the Electronic\nBackground\n                                 Government Act, which includes Title III, the Federal\n                                 Information Security Management Act (FISMA).1 The\n                                 FISMA and Office of Management and Budget (OMB)\n                                 guidance provide a framework for annual information\n                                 technology (IT) security reviews, reporting, and remediation\n                                 planning to assist Federal Government agencies in meeting\n                                 their IT security responsibilities.\n                                 The FISMA requires that Federal Government agencies\n                                 annually evaluate and report on the security of their\n                                 information systems. To promote standardization among\n                                 the agencies, the OMB requires responses to specific\n                                 requests for information. Inspectors General are required to\n                                 respond independently to most of the items requested.\n                                 Agencies then submit both sets of responses to the OMB\n                                 with their annual budget requests.\n                                 As required by the FISMA, the Treasury Inspector General\n                                 for Tax Administration and the Internal Revenue Service\n                                 (IRS) each prepared responses to the information requested\n                                 by the OMB on the status of security in the IRS for Fiscal\n                                 Year (FY) 2003. Some of the responses required empirical\n                                 information for the entire fiscal year, but the responses had\n                                 to be forwarded to the Department of the Treasury in\n                                 August 2003 so they could be consolidated with other\n                                 bureaus and submitted timely to the OMB. None of the IRS\n                                 system reviews had been completed by August 2003. As a\n                                 result, the IRS projected results for the number of systems\n                                 reviewed and submitted an updated report on\n                                 September 30, 2003.\n                                 Guidance from the OMB states that all systems\n                                 (applications), other than those that have been certified\n                                 during the current year, must be reviewed. The necessary\n                                 depth and breadth of an annual review depend on several\n                                 factors such as the potential risk and magnitude of harm to\n                                 the system or data, the relative comprehensiveness of last\n                                 year\xe2\x80\x99s review, and the adequacy and successful\n                                 implementation of planned corrective actions. The salient\n                                 point is that an effective security program requires\n                                 maintaining sound and effective computer security practices\n\n\n                                 1\n                                     Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n                                                                                              Page 1\n\x0c             Performance Data for the Security Program Should Be Corrected\n\n                                 and demands a comprehensive and continuous\n                                 understanding of program and system weaknesses.\n                                 The OMB requires Federal Government agencies to use the\n                                 National Institute for Standards and Technology (NIST)\n                                 Special Publication 800-26, Security Self-Assessment Guide\n                                 for Information Technology Systems, to conduct their annual\n                                 reviews. The NIST Self-Assessment Guide lists 17 control\n                                 topics categorized into 3 major control areas: management,\n                                 operational, and technical. See Appendix IV for further\n                                 details regarding the three major control areas.\n                                 We initiated this review to validate the accuracy of the\n                                 information reported to the Department of the Treasury\n                                 regarding the number of systems and applications reviewed.\n                                 We evaluated the methodology used by the IRS for the\n                                 security self-assessments and interviewed management from\n                                 the Large and Mid-Size Business (LMSB), Small Business/\n                                 Self-Employed (SB/SE), Tax Exempt and Government\n                                 Entities (TE/GE), and Wage and Investment (W&I)\n                                 Divisions who own the majority of IRS systems.\n                                 We conducted our audit from October 2003 through\n                                 January 2004 at the Office of Mission Assurance in\n                                 New Carrollton, Maryland. The audit was performed in\n                                 accordance with Government Auditing Standards. Detailed\n                                 information on our audit objective, scope, and methodology\n                                 is presented in Appendix I. Major contributors to the report\n                                 are listed in Appendix II.\n                                 To maintain adequate security in a network environment,\nThe Internal Revenue Service\n                                 controls are required for each sensitive application and for\nDid Not Conduct Security\n                                 the operating systems on which the applications run.\nSelf-Assessments of Its\n                                 Operating system controls help ensure only authorized\nApplications\n                                 persons have access to the network. Application controls\n                                 help deter disgruntled employees and contractors who\n                                 already have access to the network from inappropriately\n                                 accessing sensitive information and disrupting computer\n                                 operations.\n                                 For the FY 2003 FISMA reporting period covering\n                                 October 2002 through September 2003, the IRS Security\n                                 Services function within the Chief Information\n                                 Officer (CIO) organization was responsible for reviewing\n                                 security controls for each of the operating systems used in\n                                 the IRS. The FISMA requires that agency program officials\n                                                                                        Page 2\n\x0cPerformance Data for the Security Program Should Be Corrected\n\n                    (business unit managers) annually review the applications\n                    supporting their programs. The CIO\xe2\x80\x99s staff took the\n                    responsibility of providing guidance to business owners and\n                    for accumulating and reporting the results to the Department\n                    of the Treasury. Beginning in October 2003, the Chief,\n                    Mission Assurance, assumed these responsibilities.\n                    For several years, the IRS has struggled to identify the total\n                    number of systems and applications and is not yet confident\n                    that the total number is accurate. The IRS is working with\n                    the Department of the Treasury to identify an accurate\n                    inventory of systems and applications, and we are\n                    addressing this issue in another review for which we will\n                    issue an audit report later this year.\n                    As of September 30, 2003, the IRS reported an inventory of\n                    10 operating systems and 424 sensitive applications. It also\n                    reported that 72 sensitive applications had been certified or\n                    recertified during FY 2003 and that it had completed\n                    self-assessments on the remaining 352 applications.\n                    The information provided by the CIO to the Department of\n                    the Treasury in September 2003 was inaccurate. Neither the\n                    IRS business unit managers nor the CIO\xe2\x80\x99s staff tested\n                    security controls for the 352 applications. Instead, the\n                    CIO\xe2\x80\x99s staff prepared assessments for the 10 operating\n                    systems and sorted the 352 applications into 10 groups,\n                    1 group for each of the 10 operating systems. All\n                    applications assigned to an operating system were given the\n                    same assessment as each of the other applications for that\n                    operating system. Apparently, the CIO\xe2\x80\x99s staff assumed all\n                    applications running on a particular operating system had\n                    the same controls.\n                    The business unit managers who own the applications were\n                    asked by the CIO\xe2\x80\x99s staff to validate that the assessments for\n                    the operating systems were accurate for the respective\n                    applications, even though no testing of the application\n                    controls was conducted. Business unit managers made\n                    minimal changes to only 8 (2 percent) of the\n                    352 assessments.\n                    The OMB did not issue instructions to Federal Government\n                    agencies for completing the FY 2003 FISMA reports until\n                    August 2003. However, self-assessments have been\n                    required since October 2000 by the Government\n                                                                            Page 3\n\x0cPerformance Data for the Security Program Should Be Corrected\n\n                    Information Security Reporting Act.2 The IRS did not begin\n                    to conduct its self-assessments until the summer of 2003.\n                    As a result, it rushed to answer the NIST questionnaire and\n                    jeopardized the credibility of the assessment process by\n                    claiming that all applications running on a specific operating\n                    system had the same level of controls.\n                    We spoke to representatives of the LMSB, SB/SE, TE/GE,\n                    and W&I Divisions to determine the extent of their input to\n                    the FY 2003 assessment process. Collectively, these\n                    business units own the majority of IRS applications. The\n                    representatives stated that they did not have the knowledge\n                    or expertise to comment on or validate assessments of the\n                    operating systems, nor did they review the current risk\n                    assessments and security plans for the applications.\n                    In addition, business unit managers expressed confusion\n                    regarding what is expected of them and their roles in\n                    meeting the FISMA requirements. They were not sure if\n                    they were supposed to partner with the IT organization to\n                    gain the necessary expertise or how they would obtain the\n                    resources for such an effort. Some were understandably\n                    confused as to how an assessment of an operating system\n                    could be used to assess an application.\n                    In lieu of providing feedback on the assessments, business\n                    unit managers focused their attention on validating\n                    application ownership and the assigned risk level for each\n                    application. They did sign a statement acknowledging that\n                    assessments were completed and that they understood the\n                    risks associated with the applications.\n                    Business unit managers also expressed apprehension with\n                    the overall assessment process and suggested a need for the\n                    Office of Mission Assurance to provide a clear vision and\n                    define objectives and expectations, to assist them in\n                    executing their responsibilities with the process. They also\n                    expressed concern that preparations for the FY 2004\n                    assessment have not been communicated. Because\n                    activities for FY 2003 were centered on application\n                    ownership and application risk levels, they do not have a\n                    clear understanding of what their roles will be in subsequent\n                    FISMA initiatives.\n\n\n                    2\n                        FY 2001 Defense Authorization Act (P.L. 106-398).\n                                                                            Page 4\n\x0cPerformance Data for the Security Program Should Be Corrected\n\n                    Recommendations\n\n                    To ensure adequate security of information and systems, the\n                    Commissioner should:\n                    1. Hold business unit managers accountable for the\n                       security of their applications and ensure annual\n                       self-assessments of their sensitive applications are\n                       conducted in accordance with the FISMA.\n                    Management\xe2\x80\x99s Response: Management agreed with this\n                    recommendation. Management cited actions taken during\n                    FY 2003 but provided no further corrective actions.\n                    During implementation of the FISMA in 2003, the Office of\n                    Mission Assurance conducted numerous briefings and\n                    discussions to communicate FISMA requirements and\n                    provide guidance to business unit staffs and other senior\n                    IRS officials to assist them in completing all required\n                    FISMA program reviews or security controls testing. A\n                    FISMA Service Level Agreement, which supported the\n                    implementation of the FISMA Security Assessments, was\n                    approved and signed by the Acting Chief, Security Services,\n                    on September 3, 2003.\n                    Office of Audit Comment: The actions taken to ensure\n                    business unit managers are accountable for the security of\n                    their systems and annual tests of their applications are\n                    conducted have not been effective. Business unit managers\n                    must understand the current status of their security programs\n                    and the security controls planned or in place to protect their\n                    information, in order to make informed judgments and\n                    investments that appropriately reduce risk.\n                    As we reported, the IRS has yet to conduct self-assessments\n                    of any of its applications, other than those that have\n                    undergone certification and accreditation. Without annual\n                    testing as required by the FISMA, management has no\n                    means to understand the current status of their security\n                    controls. Signing a form that presents an assessment of an\n                    operating system does not, in our view, provide\n                    management with an adequate basis for understanding the\n                    security of its applications.\n                    To ensure accurate information is reported in compliance\n                    with the FISMA, the Chief, Mission Assurance, should:\n\n                                                                              Page 5\n\x0cPerformance Data for the Security Program Should Be Corrected\n\n                    2. Revise the number of systems reported to the\n                       Department of the Treasury to reflect that the IRS\n                       assessed only 10 operating systems and did not include\n                       reviews of any sensitive applications.\n                    Management\xe2\x80\x99s Response: Management disagreed with this\n                    recommendation and its related finding. They stated that\n                    each of 569 systems/applications was reviewed to determine\n                    the managerial, technical, and operational security measures\n                    in place. Management also stated that managerial and\n                    operational controls were reviewed through methods other\n                    than the FISMA self-assessments.\n                    Office of Audit Comment: We maintain it is inaccurate to\n                    state that 569 systems/applications were reviewed. As\n                    stated in our report, all applications assigned to an operating\n                    system were given the same assessment as each of the other\n                    applications for that operating system, thus indicating that\n                    operating systems were assessed but applications were not.\n                    We also maintain the identical assessments indicate that\n                    reviews of managerial and operational controls in the\n                    applications were not reviewed through other methods.\n                    In addition, the Chief, Mission Assurance, stated that the\n                    IRS has revised its categorization of systems/applications\n                    for certification and accreditation activities as well as for\n                    vulnerability tracking and FISMA reporting. Initially,\n                    87 general support systems, major applications, and\n                    applications of interest have been identified and will be used\n                    as the basis for FY 2004 FISMA reporting. The Chief,\n                    Mission Assurance, is attempting to bundle or associate the\n                    remaining low-impact applications with those 87 systems\n                    and applications scheduled for certification. This approach\n                    seems to be consistent with guidance from the NIST for\n                    certification and accreditation activities.3 However, to fully\n                    comply with the guidance, the IRS must conduct at least\n                    some testing based on risk on the low-impact applications,\n                    not just the 87 major systems and applications.\n\n\n\n\n                    3\n                     Final Draft Special Publication 800-37, Guide for the Security\n                    Certification and Accreditation of Federal Information Systems (dated\n                    April 2004).\n                                                                                   Page 6\n\x0cPerformance Data for the Security Program Should Be Corrected\n\n                    3. Coordinate with business unit managers to help define\n                       the roles and responsibilities for assessing the security of\n                       all sensitive applications during FY 2004 in accordance\n                       with the FISMA.\n                    Management\xe2\x80\x99s Response: Management agreed with this\n                    recommendation and corrective actions are in process. The\n                    Office of Mission Assurance will be providing updated\n                    guidance to assist the business units and other senior\n                    officials in more clearly understanding FISMA requirements\n                    and associated roles and responsibilities.\n\n\n\n\n                                                                            Page 7\n\x0c                   Performance Data for the Security Program Should Be Corrected\n\n                                                                                         Appendix I\n\n\n                             Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to validate performance measure data reported by the\nInternal Revenue Service (IRS) to the Department of the Treasury related to the number of\nsystems that underwent a security self-assessment in Fiscal Year 2003. To accomplish this\nobjective, we:\nI.         Reviewed self-assessments for each of the 352 sensitive applications. We sorted the\n           352 self-assessments by the operating system to which they were assigned and compared\n           the results. All applications assigned to an operating system were given the same\n           assessment as each of the other applications for that operating system. We confirmed\n           with representatives of the Chief, Mission Assurance, that this was the approach taken.\n           Since tests had not been performed for applications, no further review of the assessments\n           was necessary.\nII.        Interviewed contact points in the four business units to determine if they had conducted\n           any testing to support the self-assessments assigned to their business units and to discuss\n           their understanding of what their roles will be in subsequent Federal Information Security\n           Management Act1 self-assessments.\n\n\n\n\n1\n    Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n\n\n                                                                                              Page 8\n\x0c             Performance Data for the Security Program Should Be Corrected\n\n                                                                                Appendix II\n\n\n                           Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nGerald Horn, Audit Manager\nAbraham Millado, Senior Auditor\nJoan Raniolo, Senior Auditor\nCharles Ekholm, Auditor\n\n\n\n\n                                                                                         Page 9\n\x0c            Performance Data for the Security Program Should Be Corrected\n\n                                                                        Appendix III\n\n\n                               Report Distribution List\n\nCommissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nCommissioner, Large and Mid-Size Business Division SE:LM\nCommissioner, Small Business/Self-Employed Division SE:S\nCommissioner, Tax Exempt and Government Entities Division SE:T\nCommissioner, Wage and Investment Division SE:W\nChief Information Officer OS:CIO\nChief, Mission Assurance OS:MA\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaison: Chief, Mission Assurance OS:MA\n\n\n\n\n                                                                             Page 10\n\x0c              Performance Data for the Security Program Should Be Corrected\n\n                                                                                    Appendix IV\n\n\n                      Methodology Required for Self-Assessments\n\nThe Office of Management and Budget (OMB) requires Federal Government agencies to use the\nNational Institute for Standards and Technology (NIST) Special Publication 800-26, Security\nSelf-Assessment Guide for Information Technology Systems, to conduct their annual reviews.\nThe NIST Self-Assessment Guide lists 17 control topics categorized into 3 major control areas:\nmanagement, operational, and technical.\nManagement controls focus on the management of the security system and the management of\nrisk. Management controls include ensuring security plans are current and certifications are\nperformed timely.\nOperational controls are primarily implemented and executed by people (as opposed to systems).\nSome require technical expertise, but many can and should be assessed by operations managers\nwho have no technical expertise.\nTechnical controls are performed by computer systems. The controls can provide automated\nprotection from unauthorized access or misuse, facilitate detection of security violations, and\nsupport security requirements for applications and data.\nEach of the 17 control topics in the NIST Self-Assessment Guide has several questions that must\nbe answered by providing the level of effectiveness as follows:\n    \xe2\x80\xa2 Level 1 \xe2\x80\x93 Control objective documented in a security policy.\n    \xe2\x80\xa2 Level 2 \xe2\x80\x93 Security controls documented as procedures.\n    \xe2\x80\xa2 Level 3 \xe2\x80\x93 Procedures have been implemented.\n    \xe2\x80\xa2 Level 4 \xe2\x80\x93 Procedures and security controls are tested and reviewed.\n    \xe2\x80\xa2 Level 5 \xe2\x80\x93 Procedures and security controls are fully integrated into a comprehensive\n      program.\nThe questions should be answered by examining relevant documentation and conducting a\nrigorous examination and test of controls. The OMB suggests that the General Accounting\nOffice\xe2\x80\x99s Federal Information System Controls Audit Manual provides techniques that can be\nused to test the control objectives.\n\n\n\n\n                                                                                           Page 11\n\x0cPerformance Data for the Security Program Should Be Corrected\n\n                                                            Appendix V\n\n\n       Management\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                                Page 12\n\x0cPerformance Data for the Security Program Should Be Corrected\n\n\n\n\n                                                                Page 13\n\x0cPerformance Data for the Security Program Should Be Corrected\n\n\n\n\n                                                                Page 14\n\x0cPerformance Data for the Security Program Should Be Corrected\n\n\n\n\n                                                                Page 15\n\x0cPerformance Data for the Security Program Should Be Corrected\n\n\n\n\n                                                                Page 16\n\x0cPerformance Data for the Security Program Should Be Corrected\n\n\n\n\n                                                                Page 17\n\x0cPerformance Data for the Security Program Should Be Corrected\n\n\n\n\n                                                                Page 18\n\x0cPerformance Data for the Security Program Should Be Corrected\n\n\n\n\n                                                                Page 19\n\x0c'